Run Unleashed on the Ruckus R730

The R730 has similar hardware to the R850, so can be converted to run Unleashed versions up to 200.14.

DANGER

Ruckus 200.15+ releases aren't compatible with the R730 radios, so attempting to install these newer releases will just roll-back your upgrade.
Please don't try to upgrade past the 200.14.6.1.203 release unless you are running your R730 as a Dedicated Master.

Unleashed Dedicated Master

When your R730 is running Unleashed in Dedicated Master mode, its radios are not enabled so you can install and run Unleashed 200.15, 200.16 and 200.17 firmware releases.

Reinstall Unleashed 200.14 firmware if you are running Unleashed 200.15+ firmware and subsequently decide to use the R730 as an ordinary Unleashed AP.

If you factory reset the R730 while running Unleashed 200.15+ firmware then you must choose Custom Install and tick the Dedicated Master checkbox in the setup wizard. Failure to do so will cause your R730 to revert to the previously installed firmware once the setup wizard is completed. If the previous firmware was also a 200.15+ release then you now own a brick. You might coax it back to life by plugging its network cable directly into your computer, otherwise you'll be learning the intricacies of using a serial cable to flash UBI partitions inside u-boot.

NOTE

The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute its assigned IP address anywhere the text 192.168.0.1 appears below.

Download and extract vulnerable R730 firmware

Download the ZoneDirector 10.1.2.0.120 Software Release, which contains a vulnerable R730 AP image.

Your internet browser can extract the R730 AP Image from the ZoneDirector Software Image.

Install the vulnerable firmware

Login to the AP's web administration interface.

TIP

You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if you don't know the username & password.

The default username is "super", password is "sp-admin".

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade the firmware

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select the R730_10.1.2.0.120.bl7 or rcks_fw.bl7.main firmware file you extracted above.
Choose Perform Upgrade.

TIP

The upgrade will take a few minutes.

SSH to the AP

$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1

TIP

If you see an error Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: ssh-rsa then you probably need to update your crypto policy to allow SHA1.

$ sudo yum -y install crypto-policies-scripts
$ sudo update-crypto-policies --set DEFAULT:SHA1

You can disable SHA1 after you've completed this guide, if you wish.

$ sudo update-crypto-policies --set DEFAULT

Perform command injection

rkscli: Ruckus

Now type ";/bin/sh;" including the quotes and hit enter (you won't be able to see what you're typing)

grrrr

TIP

Instead of grrrr, another dog noise could be printed to the screen.

Escape to shell

rkscli: !v54!
What's your chow:

Now hit enter

BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

You now have a root shell.

TIP

If you don't see a BusyBox shell prompt, and instead see just the rkscli: prompt then the injection hasn't worked.
Repeat the command injection step, ensuring you type ";/bin/sh;" including the quotes.

Store R850 model information

# bsp set name R850
# bsp set model R850
# bsp commit

You will see something like this:-

Saving flash .....
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
_erase_flash: offset=0x0 count=1
Erase Total 1 Units
Performing Flash Erase of length 262144 at offset 0x0 done
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
... Changes saved to flash

You should now immediately install Unleashed.

WARNING

Especially do not factory reset the AP until you've installed the Unleashed firmware.

Install Unleashed 200.14

Login to the AP's web administration interface.

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade to Ruckus Unleashed

I assume you have downloaded Ruckus R850 Unleashed 200.14 firmware.

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select your Ruckus R850 Unleashed firmware file.
Choose Perform Upgrade.

TIP

The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.

Job done!

Notes

• The R730 will cause serious problems for nearby APs if you configure it to use 160Mhz wide channels, so please be a considerate neighbour and limit the channel width to 80Mhz or less.

• Ruckus specifies a 31W power supply for the R730. But you won't be using the USB port in Unleashed so 30W will be sufficient, and 30W switches and injectors are easily obtainable. The R730 will typically draw <12W.

  • Most PoE injectors and non-enterprise switches won't be detected correctly by the R730. So you will need to manually override your R730's PoE Operating Mode to 802.3bt/class5 within the Unleashed web administration interface.
  • The R730 may initially negotiate a 2.5Gb or 5Gb link when using a gigabit PoE injector into a multigig switch, but it will quite quickly train down to 1Gb.
  • If you want to power your R730 from a 48V DC adapter then this must have a 3.5x1.35mm barrel connector. Many Aruba 48V power adapters use the same connector, if you're shopping around for a bargain.

• If your AP is broadcasting an extra Technical.Support-xxxx SSID after you've finished setting up Unleashed, then you can try enabling Unleashed Multi-Site Manager (Admin & Services >Administration > Network Management > Unleashed Multi-Site Manager) with an unreachable IP, then immediately disabling it again.

Reverting to R730 Solo firmware

If you discover your R730 is defective then revert it to R730 Solo firmware before shipping it back to the seller.

It's also a good idea to revert your R730 to Solo firmware before reselling.

WARNING

If you want to sell or gift an R730 running Unleashed firmware then please disclose the inability to upgrade past 200.14 or run 160MHz wide channels.

I strongly recommend providing the recipient with a link to this page.

DANGER

Don't sell an R730 Dedicated Master AP running Unleashed 200.15+ firmware.

Install Unleashed 200.14 first, otherwise the AP is one factory reset away from being a brick.

Install vulnerable firmware

Download and install vulnerable Unleashed firmware and then use this to escape to a root shell.

Store R730 model information

ruckus$ bsp set name R730
ruckus$ bsp set model R730
ruckus$ bsp commit

Install Solo firmware

I assume

• you have a tftp server running
• you have downloaded the latest Ruckus R730 Solo firmware
• you copied the firmware to the tftp server's content directory

ruckus$ fw set proto tftp
ruckus$ fw set port 69
ruckus$ fw set host <TFTP server IP>
ruckus$ fw set control <R730 Solo firmware filename>
ruckus$ fw update
ruckus$ reboot